It’s 4 a.m.! Do you know where your files are?

Emerging class of enterprise rights management software promises to secure sensitive information

Every electronic document has three states of being: rest, transit and use. Typical security products have focused only on the first two states: protecting information while it resides in a repository or moves across a network. A new category of security software called enterprise rights management (ERM) is offering a way to protect information while it’s in use.

The emerging technology relies on encryption, audit trails and the application of fine-grained user controls that limit the data people can access and how they can use that data, said Trent Henry, a senior analyst at the Burton Group. So some users may have full rights to view a certain document and use it as they see fit, but others might only be allowed to read the content, not print, copy, manipulate or e-mail the data.

“It really provides a secure envelope around the data no matter where it goes,” Henry said. “So if that information is stored in a content management system, copied to a laptop, written to a USB token or sent via e-mail, the protection follows the document and remains in place.”

In a nutshell, ERM software requires users to receive approval from a policy server before handling files. ERM provides a critical capability for government agencies, security experts say, because the ubiquitous nature of the Internet makes it easy to share documents and easy for confidential information to fall into the wrong hands. For example, a thief could steal a laptop computer, or an employee could e-mail a document to a wrong address.

“With the power of the Internet and e-mail, government agencies and the commercial world are realizing that sensitive information is going to places that it wasn’t intended,” said John Landwehr, director of security solutions and strategies at Adobe Systems, which offers an ERM product that integrates with its Acrobat electronic document product.

Existing information security cannot protect information once it leaves a repository, said Martin Lambert, chief technology officer at SealedMedia, an ERM vendor.

Dangers of sharing
Although public-key infrastructure technology can secure a document while it’s in transit to a destination beyond the enterprise, once someone opens the document, it is no longer protected. Anyone who has access to the document can print, copy or forward the data.

“The second you share information outside of the perimeter of your agency, any of the recipients could accidentally or deliberately — and untraceably —redistribute that content to anyone else in the world,” Lambert said. “Many of our customers have come to us because they’ve actually had a serious leak and they don’t want it to happen again.”

The ERM market is young and still evolving. It contains small specialty companies, such as SealedMedia and Liquid Machines, and big players who see the technology as complementary to their offerings. SealedMedia’s eRoom starts at $50,000 and includes a 20-user license, first-year maintenance and two days of consulting and training.

Similar to Adobe, Microsoft has an ERM product called Rights Management Services that works with its office automation products. And most recently, EMC jumped into the market with its acquisition of the ERM company Authentica.

As the market continues to evolve, customers want fewer stand-alone ERM products and more tightly integrated solutions, said Mark Overington, vice president of Authentica Marketing at EMC Software Group.

Incorporating Authentica into EMC’s Documentum family of content management software “augments the richest set of content controls within the repository with the needed controls to extend security to all other destinations to which content may flow,” Overington said.

Henry said he expects such opportunities for synergies to continue in the ERM market.

“The vendors see this as a sweet spot, where the enterprise content management vendors can really play hand-in-hand with rights management,” he said.

Government catching on
The major factor driving ERM is the perennial need for confidentiality and the growing incidence of theft, leaks, and employee abuse and error. This is an especially critical issue for federal, state and local agencies, some of which have missions that require employees to work entirely with sensitive mission and publicly owned data.

Industry players consider the government to be the perfect fit for ERM because it deals with so much confidential information and it increasingly collaborates in virtual teams of multiple agencies, contractors and suppliers. Also, government employees often work on stand-alone and remote devices outside the network perimeter.

Agencies already must share information with one another when doing so would increase efficiency, and they face new regulations to improve the protection of their information assets. In late June, the Office of Management and Budget issued a memo requiring agencies to comply with a checklist the National Institute of Standards and Technology issued to identify and classify sensitive information. Agencies must also enact policies and procedures to adequately safeguard that content, the memo states.

Several agencies have recognized the potential benefits and have implemented ERM, albeit on a limited basis. These include the Defense, Justice and Treasurydepartments.

“A fraction of a fraction of a percent of the applicability of this market has yet to be tapped,” Lambert said.

The Energy Department’s Office of Civilian Radioactive Waste Management (OCRWM), for example, is using SealedMedia’s Sealed eRoom product as part of a test project to protect highly sensitive information regarding the location of nuclear waste during transport and disposal. “It’s providing just the kind of security needed by our project teams,” said Deborah Payne, information technologist and software development project manager at OCRWM.

The technology effectively controls data access to authorized users, and its strong auditing capabilities enable officials to know who has accessed and edited the document and when, she said.

“It really makes our lives easier,” she said. OCRWM officials plan to distribute the software to the rest of the organization.

Richard Clarke, a former cybersecurity adviser to presidents Clinton and Bush and now chairman of Good Harbor Consulting, said he thinks that the technology is ideal for government agencies. “The thing is, there is almost no issue any more that sits in just one agency,” he said.

Homeland security represents a particularly troublesome situation, because at the state and local levels, only a few people are cleared to see confidential information, Clarke said.

“How do you share with the right people while making sure that the wrong people don’t have access?” he asked. “ERM is a good solution to that, because you can designate who can see it, who can mark it up, who can download it to a jump drive. It’s an incredible audit function from a security point of view.”

Limitations
ERM is not yet a perfect security solution, Henry said. It doesn’t protect against an analog attack, for example, meaning that if the information is on the screen, someone can take a picture and distribute it. Another concern is that in many circumstances, users determine the level of sensitivity and the rights required. And they might not always have the best judgment.

In addition, the solutions are still a mixed bag, Henry said. Most solutions work well with popular office and e-mail applications, but not necessarily with all versions. And some don’t have the mechanisms needed to allow users to easily work offline.

“ERM is not something that would be adequate for protecting classified information,” Henry said. “But for sensitive but unclassified data, it’s certainly a way for agencies to up the ante and provide some control and protection over the information.”

Nevertheless, the limited availability of a technology that protects documents while they are in use is an opportunity for agencies to add another level of strength to their security armor. Ed Gaudet, vice president of product management and marketing at Liquid Machines, said ERM can also improve user productivity by enabling additional ways to work securely.

“A lot of organizations have been forced to take Draconian security measures, like banning people from working at home or using USB ports to keep their data safe,” he said. “With ERM, agencies can find that balance between security and usability and support for business processes that the organization needs to achieve its mission.”

Hayes is a freelance writer based in Clifford, Va.

How it works: Security that follows the fileEnterprise rights management (ERM) products encrypt files according to rights-usage policies. ERM works on files created in commercial and customized software in a variety of formats.

An ERM policy server holds the encryption keys, licenses and policy templates associated with access and usage rights. Client-based software interacts with the user’s local applications.

In general, ERM solutions adhere to a similar workflow. When users working in a common office application want to lock a document using ERM, they apply the encryption and rights-protection to the content manually or automatically.

Users who receive that document must authenticate to the policy server before they can do anything with the file. Once a user is authenticated, the policy server distributes the associated license and keys to the user’s client software. That software, in turn, enforces the recipient’s access rights and controls content use.

Some ERM products will give users who have the appropriate rights an opportunity to work on a document away from the office, but they must reauthenticate from their new location. For that, network connectivity is required.

— Heather B. Hayes

Choosing a productWhen evaluating an enterprise rights management product, agencies should ask a number of questions, including:

  • Does it support the core office automation and e-mail applications — and the versions — your agency uses and the applications used by colleagues, project partners and contractors?
  • Can it tie into your existing identity management system?
  • How easy is it to deploy the client software?
  • Will it allow you to work offline with the same protection levels?
  • Can you manage policies based on different criteria, such as employee rank or the nature of content?
  • How quickly and easily can you change access and use policies, and can you revoke rights immediately?
  • Will it scale to support all of your users?
  • Does it let you gain the benefits without changing your work process?
  • — Heather B. Hayes

    When to use ERMWhich documents warrant the application of enterprise rights management software? John Landwehr, director of security solutions and strategy at Adobe Systems, said a simple test is to ask, “Would there be a problem if this document was publicly posted on the Internet?”

    Federal agencies would likely find ERM appealing when trying to protect:

  • Sensitive but unclassified documents.
  • Need-to-know content distribution.
  • Internally shared of classified documents.
  • Threat intelligence briefs.
  • Virtual team collaboration and sharing.
  • Records management.
  • — Heather B. Hayes

    Featured

    Stay Connected

    FCW Update

    Sign up for our newsletter.

    I agree to this site's Privacy Policy.